When thinking about cloud security, you have to address the role identity plays.

“Identity is the center of the universe—of the technology universe,” said Eleanor Meritt, SVP, product support, sustaining engineering & IDM development at Oracle, during a conversation at Oracle Cloud World 2023.

“Fundamentally, identity is managing your users, your apps; there has to be a level of security around what your users are doing.”

The risks around identity have become one of the most talked-about threats to cloud security. Credential theft and compromise are involved in more than 60% of all data breaches, according to the Verizon Data Breach Investigations Report. Outsiders are gaining access to those credentials through brute force and social engineering attacks.

In fact, so much attention is paid to outside threat actors finding ways to compromise identities that insider risk is often overlooked.

It’s Coming from Inside the Company

Users are lazy about taking care of the credentials that confirm and protect their identities—poor password management, staying logged in after they are finished with an application and more. Tools like single sign-on (SSO) have made access a lot easier, but sometimes it makes us careless, too. That can create risk.

There need to be safeguards built around privileges and policies, said Meritt, and there need to be processes in place that allow for continuous monitoring to ensure that nothing unusual is happening from the inside.

“There have been some attacks recently done by insiders,” said Meritt. “They were people who had access to information inside their own company.” But if there aren’t tools or mechanisms in place to monitor behaviors and tools that offer access governance, then it is nearly impossible to determine if legitimate user identities are using their privileges appropriately.

It’s necessary to watch how users are using their credentials in the cloud, but it also helps to be able to compare those actions to users’ peers, Meritt pointed out. Are they accessing more sites and applications than co-workers in similar roles? What is the frequency of their access to these applications, and does it fall in line with the behavior of others with comparable duties?

Access to Orphaned Accounts

Meritt calls it a ticking time bomb—the problem of identities that have permission to access sites and applications that they never touch.

“What happens when people switch roles within an organization?” Meritt asked. It’s something that happens a lot, but too often their identity’s access and privileges don’t change.

A perfect example of this is a teaching hospital connected with a university. A medical student will have one type of access, but it will be very limited, Meritt explained. When that medical student becomes a resident, they will now need access to patient records. After residency, the new doctor takes a job at another hospital, but as an alumnus, they continue to have access to resources at the university and hospital. They still have an account at the hospital, which is a legitimate account, but they never use the account—they, in fact, may not realize that access is still available.

Mitigating the risks of this ‘open but orphaned’ account shouldn’t fall on the user and their identity. Organizations need to do a better job at managing and monitoring the life cycle of a legitimate identity so that it doesn’t create additional risk to the cloud environment.

“It can cause massive problems if somebody has too much access or inappropriate access,” said Meritt. “There have to be tools that can oversee that the determine that there’s usual or unusual behavior happening.”

If no one is overseeing the access an identity has in a cloud environment or monitoring the behaviors around access, it opens the door for serious cloud security problems from the inside.